Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

At Mobile Pwn2Own, $215K Awarded for Android, iPhone Hacks

Security researchers participating in the contest were able to exploit fully patched Android and iPhone devices successfully, but the biggest prize was left unclaimed.

At the 2016 mobile Pwn2Own event, held on Oct. 26 in Tokyo, security researchers were able to exploit devices that vendors had fully patched. In total, Trend Micro's Zero Day Initiative (ZDI) awarded $215,000 to researchers for security flaws in an Android Nexus 6P and an Apple iPhone 6S

"We're always pleasantly surprised by the quality of research presented at Pwn2Own competitions," said Dustin Childs, director of communications for ZDI. "Beyond that, we were somewhat surprised by the amount of entries targeting the installation of rogue applications and the ease with which they did it."

Tencent's Keen Security Lab Team was able to successfully install a rogue application on a fully patched Google Nexus 6P, which earned a $102,500 award. The Keen Security Lab Team discovered and exploited two new vulnerabilities in Android to install the rogue application.

The Keen Security Lab Team attempted to install a rogue application on an Apple iPhone 6S, with limited success. Although the researchers were able to get the rogue app to install, it did not stay on the device after a reboot. ZDI awarded the Keen Security Lab Team $60,000 for its partial success. A full compromise of the iPhone 6S that would have enabled a rogue application to be installed and then persist after reboot would have earned a $125,000 award.

Further reading

The iPhone 6S was further exploited by the Keen Security Lab Team to a hack that was able to leak photos from the devices. According to ZDI, the researchers employed a use-after-free memory flaw as well as a memory corruption bug in order to steal the photos. The photo leakage hack earned the researchers a $52,500 award.

Not every attempt at the mobile Pwn2own event was successful. Robert Miller and Georgi Geshev from MWR Labs were unable to successfully install a rogue application on the Nexus 6P, as a result of a patch to Google Chrome that came out just ahead of the contest.

"The subsystem they were relying on for their exploit became unreliable with the latest release of Google Chrome," Childs said. "This resulted in some program instability unrelated to the exploit."

Perhaps most notably, the biggest prize that ZDI was offering at the event went unclaimed; it was for an exploit to force an iPhone to unlock, which would have earned the successful researcher a $250,000 prize.

"No one attempted this exploit," Childs said. "We are encouraging researchers to submit something along these lines next year."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter@TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.